Each field extraction is associated with a specific source type or source value. If you have entered the field extractor after running a search, the sets of sources and source types that you can choose from are limited to those discovered in the results returned by that search. To see all of the source and source type sets in your Splunk deployment, go to the Field Extractions page in Settings.

If you select sourcetype the Source Type list appears. Choose a source type there. If you do not see the source type that you would like to use, try specifying the source type that you want to use in that search and rerunning it.

If you select source the Source Name field appears. Enter a source value there.

This screenshot is an example of the source type listing you see when you enter the field extractor from the Field Extractions page in Settings.

After you provide a source type or source, the Events tab appears. If events exist that have the source or source type that you provided, they are listed in this tab.

In the event list, select a sample event that has one or more values that you want to extract as fields. Sample events are limited to twenty lines.

The selected event appears just above the Events tab.

When field extractions already exist for the source type or source that you have chosen, they are surrounded by colored outlines in the selected event and the events in the event list. Mouse over a circled value to see the name of the field.

Use the Fields sidebar to control existing field extraction highlighting

This is an optional action that you can perform on every field extractor step except Save.

The source or source type that you select may already be associated with search-time field extractions. When this is the case, the field extractor highlights the extracted field values in the sample events with colored outlines.

The field extractor highlighting functionality cannot display highlighting for overlapping field values. When two or more extracted fields share event text, it can only display highlighting for one of those fields at a time.

For example, if the field extractor extracts a phone_number value of (555) 789-1234 and an area_code value of 555 from the same bit of text in an event, it can display highlighting for the phone_number value or the area_code value, but not both at once.

When two or more existing field extractions overlap, the field extractor automatically disables highlighting for all of the fields. If you select a sample event with overlapping field extractions, the field extractor displays a red triangle warning indicator next to the Existing fields button.

Note: This warning does not appear when you use the Field sidebar to manually turn off highlighting for extracted fields that do not overlap with other fields.

The Existing fields button opens the Fields sidebar. Use the Fields sidebar to:

Determine which existing field extractions are highlighted in the sample events.

Turn off highlighting for an existing field extraction, if you want to define a new field extraction that overlaps with it.

Determine whether an existing field extraction is accurately extracting field values.

Steps

Click Existing fields in the upper right of the screen.

The Fields sidebar opens. Existing field extractions for your selected source or source type appear in a table.

It is possible for a field to appear multiple times with different Pattern Name values.

If there are no existing field extractions, the table does not appear.

(Optional) Click open for an extraction to see detail information about it.

A page opens in a new tab. This page displays the regular expression that extracts the field. It also provides examples of events that the field extraction matches and values that the regular expression extracts.

If the field extraction matches a different event pattern than the one you want to extract the field from, you can create a new extraction with the same name as long as it has a unique Pattern Name. You define the pattern name for your field extraction at the Save step.

(Optional) Use the Highlighted checkboxes to manage highlighting of extracted fields in sample events.

Uncheck a Highlighted checkbox to turn off highlighting for a field and vice versa.

When two or more field extractions overlap with each other, only one of the field extractions can have highlighting enabled at any given time. To make an unavailable field extraction available again, deselect the field extraction that overlaps with it. If you then select the other extraction, the extraction that you just deselected becomes unavailable.

If you want to create a new field extraction that overlaps with an existing field extraction, you must first deselect the existing extraction. See the documentation of the Select Fields step for more information.

Close the sidebar by clicking the X in the corner or by clicking outside of the sidebar.

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

Feedback submitted, thanks!

You must be logged into splunk.com in order to post comments.
Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic.
If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk,
consider posting a question to Splunkbase Answers.